You are reviewing suspicious activity surfaced in a SIEM and need to determine whether it is a real security incident, a noisy false positive, or an indicator of a broader control gap. You want to move quickly without disrupting normal operations, while making sure the right people are informed and the investigation is documented well enough to support escalation if needed.
How would you investigate suspicious activity in logs using a SIEM such as OpenText ArcSight, and how would you structure the execution so the investigation is timely, defensible, and actionable?